Bug 1501695 - NULL Pointer Dereference vulneribility in libextractor EXTRACTOR_nsf_extract_method
Summary: NULL Pointer Dereference vulneribility in libextractor EXTRACTOR_nsf_extract_...
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: libextractor
Version: 27
Hardware: Unspecified
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Gwyn Ciesla
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-10-13 04:06 UTC by Leon
Modified: 2017-11-11 02:59 UTC (History)
2 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2017-10-30 16:18:15 UTC


Attachments (Terms of Use)
POC file that crashing libextract (26.47 KB, application/x-gzip)
2017-10-13 04:06 UTC, Leon
no flags Details

Description Leon 2017-10-13 04:06:00 UTC
Created attachment 1338044 [details]
POC file that crashing libextract

Description of problem:
libextract make a NULL pointer dereference when parse nsf file, the code is in nsf_extractor.c line 164
164       if (memcmp (head->magicid, "NESM\x1a", 5))
head was null when memcmp calls

Version-Release number of selected component (if applicable):
libextract v1.4

How reproducible:
./extract -i $POC

The output with address sanitizer enabled
./extract -i extract-nsf_extract_method-nsf_extractor-164.crash
Keywords for file extract-nsf_extract_method-nsf_extractor-164.crash:
ASAN:SIGSEGV
=================================================================
==40794==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f867ba8c0b0 bp 0x7ffc6d83cd10 sp 0x7ffc6d83c498 T0)
    #0 0x7f867ba8c0af  (/lib/x86_64-linux-gnu/libc.so.6+0x16f0af)
    #1 0x7f867bfda74e in memcmp (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x7774e)
    #2 0x7f867773df8d in EXTRACTOR_nsf_extract_method /root/libextractor-1.4/src/plugins/nsf_extractor.c:164
    #3 0x7f867bd02792 in do_extract /root/libextractor-1.4/src/main/extractor.c:577
    #4 0x7f867bd02b98 in EXTRACTOR_extract /root/libextractor-1.4/src/main/extractor.c:655
    #5 0x4044c9 in main /root/libextractor-1.4/src/main/extract.c:977
    #6 0x7f867b93d82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #7 0x4017c8 in _start (/opt/asan/bin/extract+0x4017c8)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 ??
==40794==ABORTING

gdb and backtrace
(gdb) run -i extract-nsf_extract_method-nsf_extractor-164.crash 
Starting program: /opt/asan/bin/extract -i extract-nsf_extract_method-nsf_extractor-164.crash
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Keywords for file extract-nsf_extract_method-nsf_extractor-164.crash:
Program received signal SIGSEGV, Segmentation fault.
__memcmp_sse4_1 () at ../sysdeps/x86_64/multiarch/memcmp-sse4.S:878
878     ../sysdeps/x86_64/multiarch/memcmp-sse4.S: No such file or directory.
(gdb) bt
#0  __memcmp_sse4_1 () at ../sysdeps/x86_64/multiarch/memcmp-sse4.S:878
#1  0x00007ffff6ee174f in memcmp () from /usr/lib/x86_64-linux-gnu/libasan.so.2
#2  0x00007ffff263df8e in EXTRACTOR_nsf_extract_method (ec=0x7fffffffa050) at nsf_extractor.c:164
#3  0x00007ffff6c09793 in do_extract (plugins=0x60800000b5a0, shm=0x0, ds=0x60300000ec20, proc=0x40255a <print_selected_keywords>, proc_cls=0x0) at extractor.c:577
#4  0x00007ffff6c09b99 in EXTRACTOR_extract (plugins=0x60800000b5a0, filename=0x60b00000aba9 "extract-nsf_extract_method-nsf_extractor-164.crash", data=0x0, size=0, 
    proc=0x40255a <print_selected_keywords>, proc_cls=0x0) at extractor.c:655
#5  0x00000000004044ca in main (argc=3, argv=0x7fffffffe4b8) at extract.c:977
(gdb) f 2
#2  0x00007ffff263df8e in EXTRACTOR_nsf_extract_method (ec=0x7fffffffa050) at nsf_extractor.c:164
164       if (memcmp (head->magicid, "NESM\x1a", 5))
(gdb) p head
$1 = (const struct header *) 0x0

Actual results:
crash

Expected results:
crash

Additional info:
This vulnerability is detected Zhao Liang, Huawei Weiran Labs

Comment 1 Fedora Update System 2017-10-20 13:00:32 UTC
libextractor-1.6-1.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-8cca61e2fa

Comment 2 Fedora Update System 2017-10-20 13:00:57 UTC
libextractor-1.6-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-4a42419c16

Comment 3 Fedora Update System 2017-10-20 13:01:12 UTC
libextractor-1.6-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-611d7cc98b

Comment 4 Fedora Update System 2017-10-21 19:29:31 UTC
libextractor-1.6-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-611d7cc98b

Comment 5 Fedora Update System 2017-10-22 02:25:37 UTC
libextractor-1.6-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-4a42419c16

Comment 6 Fedora Update System 2017-10-22 03:24:58 UTC
libextractor-1.6-1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-8cca61e2fa

Comment 7 Fedora Update System 2017-10-30 16:18:15 UTC
libextractor-1.6-1.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2017-10-30 16:28:20 UTC
libextractor-1.6-1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2017-11-11 02:59:47 UTC
libextractor-1.6-1.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.